CVE-2021-46935: Linux Kernel Binder Vulnerability Affecting Async Free Space Accounting on Empty Parcels

In recent times, the Linux kernel development community addressed the CVE-2021-46935 vulnerability. This vulnerability affects binder, a Linux kernel subsystem responsible for inter-process communication (IPC) and involves incorrect async_free_space accounting for empty parcels.

The original vulnerability has been identified and fixed in the 4.13 Linux kernel by commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space"). This patch resolved an issue regarding kernel structure visibility. As part of that patch, sizeof(void *) was used as the buffer size for -length data payloads so the driver could detect abusive clients sending -length asynchronous transactions to a server and enforce limits on async_free_size.

However, a problem arose when freeing the buffer; the accounting of async_free_space did not add the sizeof(void *) back. Consequently, up to 8-bytes of async_free_space were leaked on every async transaction of 8-bytes or less. Small transactions are uncommon, which is why this accounting issue remained unnoticed for several years.

To resolve this issue, the fix is to use "buffer_size" (the allocated buffer size) instead of "size" (the logical buffer size) when updating the async_free_space during the free operation. These two values are the same, except for asynchronous transactions with payloads smaller than 8 bytes.

Here's the code snippet reflecting the changes

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 48ee6d58ada5..b6de7ef16ea7 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -3781,7 +3781,7 @@ static void binder_free_transaction(struct binder_proc *proc,
 	BUG_ON(actual_buffer_size > LONG_MAX);
 
 	if (buffer->txn_async) {
-		u64 size = (u64)buffer->data_size + buffer->offsets_size +
+		u64 size = (u64)buffer_size +
 			sizeof(struct binder_buffer);
 
 		spin_lock(&proc->lock);

References

1. Original commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=74310e06be4da05bcdda1fdcfd902fd6789bb6
2. Linux Kernel Mailing List post: https://lkml.org/lkml/2021/9/7/1083
3. CVE-2021-46935 Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46935

This vulnerability and its fix emphasize the importance of continuously auditing and maintaining the Linux kernel code. Though small transactions are uncommon, identifying and addressing such issues ensures a more secure and stable kernel environment. Long-term, the community's effort to find, fix, and prevent vulnerabilities contributes significantly to the overall health of the Linux kernel and the many systems that rely on it.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 18:24:38 UTC